HIPAA’s requirements vary significantly in their impact on self-insured versus fully insured plans, with greater responsibilities and administrative burdens placed on self-insured group health plan sponsors. Fully insured group health plans must comply with certain provisions as well, though the scope of those requirements will depend on whether the plan handles participant health data.
This guide focuses on HIPAA’s Administrative Simplification provisions, which were implemented to streamline healthcare operations and enhance the privacy and security of health data. The Privacy, Security, and Breach Notification Rules (herein the Privacy and Security Rules collectively for ease of reference) establish standards for safeguarding protected health information (PHI) in both paper and electronic forms and for responding to data breaches.
Download the HIPAA Privacy and Security for Group Health Plans: A Guide for Employers
This publication provides a high-level overview of the Privacy and Security Rules for employers sponsoring group health plans to understand the scope of their responsibilities. It includes a HIPAA Privacy and Security Compliance Overview for Self-Insured vs. Fully Insured Group Health Plans (Appendix A). The publication is not meant to serve as a comprehensive guide to HIPAA compliance. Plan sponsors often rely on HIPAA compliance vendors and legal counsel to satisfy many requirements of the Privacy and Security Rules. In addition, note that state privacy laws vary and fall outside the scope of this publication.